new post, install guide, archlinux with SELinux, full disk encryption and secure boot

2026-01-25 20:10:10 +01:00
parent c659767ba2
commit f5fffb9716
1 changed files with 461 additions and 0 deletions
--- a/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
+++ b/_posts/2026-01-25-archlinux-uefi-lvm-on-luks-with-selinux-installation-guide.md
@@ -0,0 +1,461 @@
 ---
 layout: post
 author: Sam Hadow
 tags: archlinux selinux sysadmin
 ---
 This post is a guide to install archlinux in UEFI with full disk encryption (LVM on LUKS), SELinux enabled and optionally secure boot.  
 **Warning:** apparmor is much easier to use on archlinux, SELinux on archlinux **will** require you to write some policies manually. Fedora is a better solution if you want SELinux working out of the box and don't want to fight SELinux writing policies. This guide is mostly for advanced users.
 ## preparing installation media
 Follow the initial steps from archlinux [wiki](https://wiki.archlinux.org/title/Installation_guide) to prepare your installation media, the most convenient solution is to copy the ISO to a [ventoy](https://www.ventoy.net/en/index.html) USB key.  
 Then boot your archlinux ISO and first check you have internet access on your computer:
 ```bash
 ping archlinux.org
 ```
 If using WiFi, you'll need to use [iwctl](https://wiki.archlinux.org/title/Iwd#iwctl)  
 # installation steps
 ## 1) setting up LVM and preparing volumes
 ### 1.1) loading the required kernel modules
 ```bash
 modprobe efivarfs
 modprobe dm-crypt 
 modprobe dm-mod 
 ```
 ### 1.2) partition table
 Find the disk you want to use to install your system with `lsblk`. For me it's `vda` as I'm using a virtual machine to write this guide.  
 **important:** Select a GPT parition table type and not MBR.  
 Create a partition table with `cfdisk /dev/vda` (or your prefered tool) and create 2 partitions:
 + `/dev/vda1` as ef EFI (FAT-12/16/32) type, a size of 512MB is fine
 + `/dev/vda2` as 83 Linux filesystem type for the rest of the disk
 Write the partition table to the disk.
 ### 1.3) setting up the encrypted volume
 Create the encrypted volume, it will ask you for a confirmation and let you choose a passphrase. (Note that PBKDF2 key derivation algorithm is weaker than Argon2 but is required when using the default grub bootloader, the installation using systemd-boot will not be covered in this guide.)
 ```bash
 cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/vda2
 ```
 Then open it with the passphrase chosen.
 ```bash
 cryptsetup luksOpen /dev/vda2 luks
 ```
 ### 1.4) setting up LVM
 We will create 3 volumes, one for the SWAP, one for the ROOT filesystem and one for the HOME filesystem. Adapt the sizes to what is appropriate for you, in my case I'm using a virtual machine with a 25GB disk so I won't create a huge root volume.
 ```bash
 pvcreate /dev/mapper/luks
 vgcreate system /dev/mapper/luks
 lvcreate -L 1G -n swap system
 lvcreate -L 10G -n root system
 lvcreate -l 100%FREE -n home system
 ```
 ### 1.5) formating and mounting the volumes
 I'll use a BTRFS filesystem but use the filesystem you prefer.
 ```bash
 #formatting
 mkfs.fat -F32 /dev/vda1
 fatlabel /dev/vda1 BOOT
 mkswap -L SWAP /dev/mapper/system-swap
 mkfs.btrfs -L ROOT /dev/mapper/system-root
 mkfs.btrfs -L HOME /dev/mapper/system-home
 #mounting
 swapon /dev/mapper/system-swap
 mount -o compress=zstd /dev/mapper/system-root /mnt 
 mkdir -p /mnt/{home,boot,boot/efi,etc}
 mount -o compress=zstd /dev/mapper/system-home /mnt/home
 mount /dev/vda1 /mnt/boot/efi
 ```
 Then create the fstab.
 ```bash
 genfstab -pU /mnt >> /mnt/etc/fstab
 ```
 ## 2) base installation
 ### 2.1) installing required packages
 We'll use reflector to generate the mirrorlist. Adapt the country code to pick the closest mirrors.
 ```bash
 reflector -c FR -p https -a 12 --sort rate --save /etc/pacman.d/mirrorlist
 ```
 Then install the required packages and some useful packages.
 ```bash
 pacstrap -i /mnt base base-devel linux linux-firmware linux-headers pacman-contrib man-pages btrfs-progs vim git bash-completion
 ```
 ### 2.2) chroot
 Chroot into the system to continue the installation.
 ```bash
 arch-chroot /mnt /bin/bash
 ```
 #### 2.2.1) locales, hostname, clock and timezone
 In the file `/etc/locale.gen`, uncomment your locales (for example `en_US.UTF-8 UTF-8`)  
 You can also set your preferences for the virtual console in `/etc/vconsole.conf`, for example for a QWERTY layout:  
 ```ini
 KEYMAP=us
 FONT=lat9w-16
 ```
 And in `/etc/locale.conf` (LC_COLLATE=C for case sensitive sorting):
 ```ini
 LANG=en_US.UTF-8
 LC_COLLATE=C 
 ```
 And finally generate the locales:
 ```bash
 locale-gen 
 ```
 You can set your hostname in `/etc/hostname`.  
 For your clock and timezone: (adapt to your timezone)
 ```bash
 ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
 hwclock --systohc --utc
 ```
 #### 2.2.2) root password and user creation
 Set your root password with `passwd`  
 Then create a user (named sam here) in the wheel group (to use sudo) and set its password with:
 ```bash
 useradd -m -G wheel sam
 passwd sam
 ```
 and uncomment the line containing `%wheel ALL=(ALL:ALL) ALL` in `/etc/sudoers`
 #### 2.2.3) SELinux installation (from AUR)
 Log in as your created user and install an AUR helper to make things easier:
 ```bash
 su sam
 cd
 git clone https://aur.archlinux.org/yay.git
 cd yay
 makepkg -si
 cd
 ```
 Then install the required packages for SELinux to work. It will ask you for replacements with conflicting packages, answer yes every time.
 ```bash
 yay -S libsepol libselinux checkpolicy secilc setools libsemanage semodule-utils policycoreutils selinux-python python-ipy mcstrans restorecond
 yay -S pam-selinux pambase-selinux coreutils-selinux findutils-selinux iproute2-selinux logrotate-selinux openssh-selinux psmisc-selinux shadow-selinux cronie-selinux
 yay -S sudo-selinux
 ```
 Note: If `sudo-selinux` fails to build, build it with `--nocheck` option:
 ```bash
 cd ~/.cache/yay/sudo-selinux
 makepkg -si --nocheck
 ```
 Then exit your user, remodify `/etc/sudoers` to uncomment the line containing `%wheel ALL=(ALL:ALL) ALL` and relog as your user. After that:
 ```bash
 sudo pacman -S less
 yay -S systemd-selinux systemd-libs-selinux util-linux-selinux util-linux-libs-selinux
 cd ~/.cache/yay/systemd-selinux
 makepkg -si --nocheck
 ```
 Due to a [cyclic dependency which won't be fixed](https://bugs.archlinux.org/task/39767) the complete build will fail at first, that's why you need to manually build systemd-selinux again after. For some reason less is also required for the build but not a build dependency.  
 Then more SELinux packages and a policy:
 ```bash
 yay -S selinux-alpm-hook dbus-selinux selinux-refpolicy-arch
 ```
 If the check fails for `dbus-selinux` build it with `--nocheck` option:
 ```bash
 cd ~/.cache/yay/dbus-selinux
 makepkg -si --nocheck
 ```
 If you want to apply a fedora-style user context (as root):
 ```bash
 semanage login -m -s unconfined_u __default__
 ```
 #### 2.2.4) necessary packages
 Network for next boot:
 ```bash
 pacman -S networkmanager
 systemctl enable NetworkManager
 ```
 grub and lvm2:
 ```bash
 pacman -S grub efibootmgr lvm2
 ```
 Secure boot:  
 *Note: If you don't want to bother with secure boot, do not run sbctl related command, and later when generating the boot image with grub, remove* `--modules="tpm" --disable-shim-lock` *from the command*
 ```bash
 pacman -S sbctl
 sbctl create-keys
 sbctl enroll-keys -m
 ```
 If you also want to enroll hardware security keys, use [systemd-cryptenroll](https://wiki.archlinux.org/title/Systemd-cryptenroll)
 #### 2.2.5) opional packages
 If you have an intel CPU:
 ```bash
 pacman -S intel-ucode
 ```
 If you have a laptop and want battery optimization:
 ```bash
 pacman -S tlp
 systemctl enable tlp
 ```
 If you need bluetooth:
 ```bash
 pacman -S bluez
 systemctl enable bluetooth
 ```
 If you want 32bits apps (necessary for some packages), in `/etc/pacman.conf` uncomment these lines:
 ```ini
 #[multilib]
 #include = /etc/pacman.d/mirrorlist
 ```
 #### 2.2.5) generating boot images
 in `/etc/mkinitcpio.conf` on the `MODULES=()` line, add `dm-mod` and in the `HOOKS=()` line you should have:
 ```ini
 HOOKS=(base udev autodetect modconf block keyboard encrypt lvm2 filesystems fsck)
 ```
 Then:
 ```bash
 mkinitcpio -p linux
 ```
 sbctl post-hook should automatically sign `/boot/vmlinuz-linux`. Otherwise run:
 ```bash
 sbctl sign -s /boot/vmlinuz-linux
 ```
 Then in `/etc/default/grub`  
 + uncomment the line `GRUB_UNABLE_CRYPTODISK=y`
 + in `GRUB_CMDLINE_LINUX=""` add `cryptdevice=/dev/vda2:system root=/dev/mapper/system-root`
 + in `GRUB_CMDLINE_LINUX_DEFAULT=""` add `lsm=selinux,landlock,lockdown,yama,integrity,bpf`
 Then:  
 ```bash
 grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --modules="tpm" --disable-shim-lock --recheck
 grub-mkconfig -o /boot/grub/grub.cfg
 sbctl sign -s /boot/efi/EFI/arch_grub/grubx64.efi
 ```
 *Please note that in a virtual machine you'll need an emulated TPM for the virtual machine to boot if you want secure boot enabled.* 
 ### 3) exit and reboot
 ```bash
 exit    # until you exit the chroot
 umount -R /mnt
 swapoff -a
 reboot
 ```
 ### 4) post reboot steps
 #### 4.1) relabel files
 check SELinux status with `sestatus`, it should be in permissive with refpolicy-arch as the loaded policy.  
 Relabel all the files correctly with the following command:  
 ```bash
 restorecon -RFv
 ```
 you might want to clean yay cache before doing that to have less files to relabel:  
 ```bash
 rm -rf ~/.cache/yay/*
 ```
 #### 4.2) enable auditd
 enable auditd service to read AVC denials from SELinux later.  
 ```bash
 systemctl enable --now auditd
 ```
 #### 4.3) create and load necessary policy
 Create a file `requiredmod.te` with the following content:
 ```text
 module requiredmod 1.0;
 require {
        type auditd_etc_t;
        type getty_t;
        type var_run_t;
        type tmpfs_t;
        type local_login_t;
        type systemd_tmpfiles_t;
        type init_runtime_t;
        type devpts_t;
        type kernel_t;
        type device_t;
        type udev_t;
        type hugetlbfs_t;
        type udev_tbl_t;
        type policy_config_t;
        type tmp_t;
        type unconfined_t;
        type var_lib_t;
        type systemd_userdbd_runtime_t;
        type systemd_user_runtime_dir_t;
        type systemd_sessions_t;
        type systemd_userdbd_t;
        type etc_runtime_t;
        type systemd_logind_t;
        type file_context_t;
        type semanage_t;
        type selinux_config_t;
        type initrc_runtime_t;
        type sshd_t;
        class dir { write add_name remove_name getattr open read search };
        class file { getattr open read write create getattr ioctl lock relabelfrom relabelto setattr unlink };
        class sock_file write;
        class unix_stream_socket { read write ioctl connectto};
        class capability2 block_suspend;
        class filesystem { associate quotaget quotamod };
        class key { link search };
        class process { noatsecure rlimitinh siginh transition };
 }
 #============= getty_t ==============
 allow getty_t tmpfs_t:dir { getattr open read };
 allow getty_t var_run_t:file { getattr open read };
 allow getty_t initrc_runtime_t:dir { getattr open read };
 #============= local_login_t ==============
 allow local_login_t init_runtime_t:sock_file write;
 allow local_login_t systemd_logind_t:unix_stream_socket connectto;
 allow local_login_t var_lib_t:dir { add_name remove_name };
 allow local_login_t var_lib_t:file { create getattr lock open read setattr unlink write };
 #============= sshd_t ==============
 allow sshd_t local_login_t:key { link search };
 allow sshd_t systemd_logind_t:unix_stream_socket connectto;
 allow sshd_t unconfined_t:process { noatsecure rlimitinh siginh };
 #============= systemd_tmpfiles_t ==============
 allow systemd_tmpfiles_t auditd_etc_t:dir search;
 allow systemd_tmpfiles_t auditd_etc_t:file getattr;
 #============= systemd_sessions_t ==============
 allow systemd_sessions_t kernel_t:dir search;
 allow systemd_sessions_t kernel_t:file { getattr ioctl open read };
 #============= systemd_user_runtime_dir_t ==============
 allow systemd_user_runtime_dir_t etc_runtime_t:file { open read };
 allow systemd_user_runtime_dir_t kernel_t:dir search;
 allow systemd_user_runtime_dir_t kernel_t:file { getattr ioctl open read };
 allow systemd_user_runtime_dir_t systemd_userdbd_runtime_t:sock_file write;
 allow systemd_user_runtime_dir_t systemd_userdbd_t:unix_stream_socket connectto;
 allow systemd_user_runtime_dir_t tmp_t:dir read;
 allow systemd_user_runtime_dir_t tmpfs_t:filesystem { quotaget quotamod };
 #============= systemd_userdbd_t ==============
 allow systemd_userdbd_t initrc_runtime_t:dir { getattr open read search };
 #============= devpts_t ==============
 allow devpts_t device_t:filesystem associate;
 #============= hugetlbfs_t ==============
 allow hugetlbfs_t device_t:filesystem associate;
 #============= kernel_t ==============
 allow kernel_t self:capability2 block_suspend;
 #============= tmpfs_t ==============
 allow tmpfs_t device_t:filesystem associate;
 #============= udev_t ==============
 allow udev_t kernel_t:unix_stream_socket { read write ioctl };
 allow udev_t udev_tbl_t:dir { write add_name };
 allow udev_t var_run_t:sock_file write;
 ```
 Run the following command to compile and load the module:
 ```bash
 checkmodule -m -o requiredmod.mod requiredmod.te
 semodule_package -o requiredmod.pp -m requiredmod.mod
 semodule -i requiredmod.pp
 ```
 And set a few booleans:
 ```bash
 setsebool -P allow_polyinstantiation on
 setsebool -P systemd_tmpfiles_manage_all on
 setsebool -P ssh_sysadm_login on
 ```
 Then in `/etc/selinux/config`, set SELinux mode to enforcing instead of permissive and reboot.  
 And that's it, you now have a minimal archlinux installation in UEFI with full disk encryption, secure boot, and SELinux in enforcing mode.